With passwords “broken,” US rolls out Internet identity plan

Lack of trust on the Internet is costing us billions, says the US government, …

At a US Chamber of Commerce event today, the federal government rolled out its vision for robust online credentials that it hopes will replace the current mess of multiple accounts and insecure passwords. The choice of the Chamber of Commerce wasn't an accident, either; the government wants to squelch any talk of a "national Internet ID card" and emphasize that the plan will be both voluntary and led by the private sector.

The final version of NSTIC tries to address two problems: the fact that passwords are "broken" and the fact that it's almost impossible to prove your identity on the Internet. The future belongs to smart cards, cell phones, USB security sticks, and similar solutions—when the Department of Defense moved away from passwords to a smartcard security solution, it saw network intrusions drop by 46 percent.

The goal of the system is simple: create the baseline tools needed for online commerce to thrive. Indeed, the first sentence of the NSTIC final report reads: "A secure cyberspace is critical to our prosperity." The government hopes to enable whole new classes of online activity, such as dealing with health records or signing mortgages, that today few people would trust to the Internet. It also hopes to slow rampant ID theft, which it claims costs more than $600 per incident to fix.

The government hopes to facilitate this new ecosystem, one that will be interoperable and run largely by private parties. Under the plan, Internet users could go to any private credential provider of their choice and verify their identity, then use that credential to log in to any site which supports the identity ecosystem. Have one credential from Google and another from Verisign, but want to log in to Facebook? Either credential should work.

Users can choose how many credentials they acquire, what information is contained in each, and how much information is revealed at login.

For example, student Jane Smith could get a digital credential from her cell phone provider and another one from her university and use either of them to log-in to her bank, her e-mail, her social networking site, and so on, all without having to remember dozens of passwords. If she uses one of these credentials to log into her Web email, she could use only her pseudonym, "Jane573." If however she chose to use the credential to log-in to her bank she could prove that she is truly Jane Smith. People and institutions could have more trust online because all participating service providers will have agreed to consistent standards for identification, authentication, security, and privacy.

The program will be coordinated by the National Institute of Standards and Technology (NIST), the part of the Commerce Department that has set national standards since 1901. NIST will coordinate the new strategy but insists it will be led by the private sector, that privacy is paramount, and that consumer advocates and privacy groups will be part of the process.

NIST hopes to arrive at privacy standards that will give Internet users confidence in using such credentials, to clarify the liability that credentials providers will face should someone still manage to steal your identity, and to issue a "trustmark" that accredits participating credential providers and websites.

Public meetings on NSTIC begin in June, and NIST hopes to be funding pilot projects by 2012. Still, ordinary Internet users won't be able to use the system for three to five years.

123 Reader Comments

This will also make it easier for Uncle Sam to track our online purchases for taxation reasons. I wish they'd just be honest about their intentions and not rely so heavily on smoke and mirrors. Not against taxes... just against our government lying to us.

This will also make it easier for Uncle Sam to track our online purchases for taxation reasons. I wish they'd just be honest about their intentions and not rely so heavily on smoke and mirrors. Not against taxes... just against our government lying to us.

Yes, just like the way that NIST standardizes weights and measures lets them know how overweight I am.

If it's a completely private system, how exactly will the government use it to track people?

What's wrong with a national Internet ID? We have passports, SS accounts, driver's licenses all run by the state. It's not like it'll be used on every website, just anytime you need to prove to the government (like when you're voting) that you are who you say you are.

Imagine the voter turnout if you could vote online vs having to go to the polls or mailing in absentee ballots.

Who the hell let Obama press the "OHCRAP!" button !?In all seriousness, it's easy to see this evolve from an opt-in to a mandatory system in ... what ... maybe 2 years ?

A lot of corps. tried to push for real ID on the internet ( how many of you can remember the "internet driver's license" crap a few years ago? ). I can see already see a lot of people will bandwagon on this craptastic but law-approved course of events.

At first there'll simply be more personalized ads ( sorry to say this, but remember the ads in "minority report" ? ). Then 3 - 4 years down the line the bomb will drop. Think online ID jacking. Some "kid in his mom's basement" will be able to hack pretty much any online ID belonging to regular Joe Schmoes and post on .gov forums using it. And poor Joe ends up with a nice fine to pay ... for the lulz

Sounds like an excellent idea to me. I find it rather obnoxious that many important documents must still be handled in person. If this lets me do everything at the DMV online (most DMVs have a few things online but not a whole lot), I am all for it.

Well ok, I guess I couldn't take a driving test online, but everything that is just documentation.

edit: I like the idea of being able to vote online as well. I'm sure there are massive security/fraud issues that would have to be resolved, but if it could be done that'd be great.

Sounds a lot like what OpenID already does. There are a whole lot of security issues and possible problems with this kind of a system, but we have to move to some way of verifying your identity other than commonly available personal info. I don't really think the government should be in charge though, their track record with large scale IT projects is dismal. The same goes for the large private sector corporations who usually get involved when the government tries to contract things out. An agile forward thinking company like Google or even MS needs to be the one coming up with this stuff.

This will also make it easier for Uncle Sam to track our online purchases for taxation reasons. I wish they'd just be honest about their intentions and not rely so heavily on smoke and mirrors. Not against taxes... just against our government lying to us.

NO NO NO. Did you not read the article about how Aluminum causes altzheimers? Take off your tinfoil hat already....

The transaction itself is separate from the authentication. This ID only proves who you are to the site (and potentially the credit processor), but in NO WAY does the government have access to that data any more than today they have access to your credit card history. it does, and will continue to, require a warrant. This is essentially a form of personal Verisign.

This replaces a password, but it does not put the government in any way as a part of that system. they still have every hurdle they do today to get into those systems including not less than probable cause + a warrant issued on an active case file.

And as far as online taxation, 1) there is no federal sales tax, so why would the fed care? 2) Whether the site charges sales tax or not, you're still required by your state laws to report it anyway, and there's a convenient field on your state return to claim it, and failure to pay IS A CRIME.

Whether you have some central ID to acquire, or whether they simply flag you in a routine audit, note you put $0 in the "other unpaid sales taxes" field, then get your credit card receipts and ask why you bought $3,700 in stuff from amazon and didn't pay sales tax has no difference. The states have a number of triggers they look for to see if you need to be audited, and if you are, this is one thing they look at. If you are not reporting your out-of-state purchases and live in a state that collects sales tax, GOOD LUCK, because it mostly is a matter of luck if you;re not reporting it for if/when you will get a state tax audit, and the fines alone for one year likely exceed 5x what you;re not claiming, and if you violate in one year, back-auditing the last 7 is generally automatic... Lack of their ability to track you is NOT an excuse not to pay taxes you cheapskate ass. Its like saying you don't have to claim tips as income if you are a waiter. Your access to a PC and a mailing address is NOT an excuse to not pay sales taxes.

Oh, great the same US Chamber of Commerce that was engaging in online espionage? Perfect choice. I can't wait until the new ID system is compromised by the Chinese after a fortune 500 company sells their encryption technology to make a couple bucks in China. Does anyone else understand we're basically at war with a huge trading 'partner' and our corporations won't let us fight?

What's wrong with a national Internet ID? We have passports, SS accounts, driver's licenses all run by the state. It's not like it'll be used on every website, just anytime you need to prove to the government (like when you're voting) that you are who you say you are.

Imagine the voter turnout if you could vote online vs having to go to the polls or mailing in absentee ballots.

There is nothing wrong with a National ID. The problem is when it becomes the central repository for your identity...when everything is tied to it. None of the other forms of ID you listed are a centralized database. Without a comprehensive national privacy policy you might as well give up any idea of privacy, even down to how often you get your teeth cleaned will become private knowledge. That is why so many people resist the idea of a National ID.

If it's a completely private system, how exactly will the government use it to track people?

The same way that the government presently uses existing completely private systems, like cell-phone tower switching logs, to geo-track people down to about 3 m. By disclosing your location to the cell carrier you have waived privacy, because you have no legal right of privacy in the cell carrier's routine business records. When your local, state, or federal LE then go to the carrier and ask for a voluntary data dump of their business records, then scan that dumped data for your cellie, you have no clear recourse against (i) the carrier; nor (ii) the LE who simply asked and received.

Sounds like an excellent idea to me. I find it rather obnoxious that many important documents must still be handled in person. If this lets me do everything at the DMV online (most DMVs have a few things online but not a whole lot), I am all for it.

Well ok, I guess I couldn't take a driving test online, but everything that is just documentation.

edit: I like the idea of being able to vote online as well. I'm sure there are massive security/fraud issues that would have to be resolved, but if it could be done that'd be great.

AFAIK the PA DMV will let you do anything except take tests or get the picture taken for a new ID online. Perhaps yours just needs to leave the 20th century. The only WTFy bit of the system is that it still takes a few weeks to process anything when they let 3rd parties companies have access to an expedited system for people willing to pay more because they need something done asap.

Oh, great the same US Chamber of Commerce that was engaging in online espionage? Perfect choice. I can't wait until the new ID system is compromised by the Chinese after a fortune 500 company sells their encryption technology to make a couple bucks in China.

A properly designed encryption system doesn't rely on obscurity in it's mechanisms. Heck, it's considered a GOOD thing for encryption algorithms to be public and beaten on...

I believe education (why do you need secure passwords, and perhaps a password manager) is much more important than making compulsory plans that are weak to begin with, a hacker's treasure trove if you will.

What's wrong with a national Internet ID? We have passports, SS accounts, driver's licenses all run by the state. It's not like it'll be used on every website, just anytime you need to prove to the government (like when you're voting) that you are who you say you are.

because it'll probably end up being farmed out to the lowest bidder, resulting in some awful insecure overbudget Diebold-esque boondoggle

Sounds a lot like what OpenID already does. There are a whole lot of security issues and possible problems with this kind of a system, but have to move to some other way of verifying your identity other than commonly available personal info. I don't really think the government should be in charge though, their track record with large scale IT projects is dismal.

"A properly designed encryption system doesn't rely on obscurity in it's mechanisms. Heck, it's considered a GOOD thing for encryption algorithms to be public and beaten on... " Yes, you're right, but that's not the point. The point is that our private enterprise solutions are always compromised by our private enterprise, which puts us at a disadvantage to the Chinese. Who seem to be robbing us blind. But what do I know? I'm sure these multinationals that pay their fair share and make a fair profit will always do the right thing.

If it's a completely private system, how exactly will the government use it to track people?

The same way that the government presently uses existing completely private systems, like cell-phone tower switching logs, to geo-track people down to about 3 m. By disclosing your location to the cell carrier you have waived privacy, because you have no legal right of privacy in the cell carrier's routine business records. When your local, state, or federal LE then go to the carrier and ask for a voluntary data dump of their business records, then scan that dumped data for your cellie, you have no clear recourse against (i) the carrier; nor (ii) the LE who simply asked and received.

those actions require due process, authority from a judge, and an open case file related to an actual crime that was reported before the access occured. They do NOT get a dump, they get a single record at a specified time. Also, by federal law, if they DID manage to get such a record without a warrant, and they did use that record to identifiy people to presucute, that evidence is instantly inadmissible in court.

What's wrong with a national Internet ID? We have passports, SS accounts, driver's licenses all run by the state. It's not like it'll be used on every website, just anytime you need to prove to the government (like when you're voting) that you are who you say you are.

Imagine the voter turnout if you could vote online vs having to go to the polls or mailing in absentee ballots.

So, in this setting, if there are no passwords and you loose your cellphone, then someone now stoled your entire identity including bank accounts.

Why not just extend the current root authority system to individuals instead. As we already know the problems of the system, I think it would be better than something we have never used, at least for a few years.

I see the fragmentation between my various user ids and passwords as a good thing. It's insulation; I don't want my ars technica log in to be the same as my bank log in. If one is compromised the other remains secure. The phrase "putting all your eggs in one basket comes to mind."

This will also make it easier for Uncle Sam to track our online purchases for taxation reasons. I wish they'd just be honest about their intentions and not rely so heavily on smoke and mirrors. Not against taxes... just against our government lying to us.

First, indeed there is no way to identify random strangers on the internet. No system can solve this.

Second, the password concept is not broken though people certainly need to pick better passwords. And it is a security feature to have different passwords at different places.

Third, a central store or a network of identity stores is wronger than two boys effin in the church parking lot. to big of a honey pot.

Fourth, identity authentication has already been solved with pki. it just needs to be use properly. For example, if bank offers online banking and the customer wants to use it, the customer needs to go to the bank and ask for a certificate for their browser to present to the banks server. the certificate is of course pass phrase protected.

If it's a completely private system, how exactly will the government use it to track people?

The same way that the government presently uses existing completely private systems, like cell-phone tower switching logs, to geo-track people down to about 3 m. By disclosing your location to the cell carrier you have waived privacy, because you have no legal right of privacy in the cell carrier's routine business records. When your local, state, or federal LE then go to the carrier and ask for a voluntary data dump of their business records, then scan that dumped data for your cellie, you have no clear recourse against (i) the carrier; nor (ii) the LE who simply asked and received.

those actions require due process, authority from a judge, and an open case file related to an actual crime that was reported before the access occured. They do NOT get a dump, they get a single record at a specified time. Also, by federal law, if they DID manage to get such a record without a warrant, and they did use that record to identifiy people to presucute, that evidence is instantly inadmissible in court.

Try without the tinfoil hat next time.

Try reading a bit before getting so dismissive. http://en.wikipedia.org/wiki/NSA_call_database The ugly truth is, current wiretapping laws are very VERY narrow in their definition of what an agency needs a warrant to collect; global traffic analysis without any court oversight is apparently fair game.

What's the difference from passwords really? Aren't they just storing complex passwords on media in the DoD system anyway? With this, wouldn't you be even more at risk if someone managed to copy your card? (Which may be harder, but now attackers only need to crack ONE system rather than dozens)

If it's a completely private system, how exactly will the government use it to track people?

The same way that the government presently uses existing completely private systems, like cell-phone tower switching logs, to geo-track people down to about 3 m. By disclosing your location to the cell carrier you have waived privacy, because you have no legal right of privacy in the cell carrier's routine business records. When your local, state, or federal LE then go to the carrier and ask for a voluntary data dump of their business records, then scan that dumped data for your cellie, you have no clear recourse against (i) the carrier; nor (ii) the LE who simply asked and received.

those actions require due process, authority from a judge, and an open case file related to an actual crime that was reported before the access occured. They do NOT get a dump, they get a single record at a specified time. Also, by federal law, if they DID manage to get such a record without a warrant, and they did use that record to identifiy people to presucute, that evidence is instantly inadmissible in court.

Try without the tinfoil hat next time.

No, they don't require action from a judge, just a pen order. And, even then, not necessarily. Your GPS coordinates are not private and at least one mobile provider in the U.S. (Sprint) has an LEO portal that provides that information for nothing more than a nominal fee.

What a piece of garbage. What a crock. There are no dissenting points here. You got to love it when they say they are going out to the community and gathering consensus on a system, yet the idea that there should even BE a system is a priori. That list of people saying nice things about this standard? U.S. Senator John D. Rockefeller IV,“Establishing [the NSTIC] office represents an important step in the process of protecting the security and privacy of online transactions. It’s a critical piece of the larger cybersecurity puzzle."^^^^ This is the same jack ass who came up with the "Kill switch".

So, in this setting, if there are no passwords and you loose your cellphone, then someone now stoled your entire identity including bank accounts.

Why not just extend the current root authority system to individuals instead. As we already know the problems of the system, I think it would be better than something we have never used, at least for a few years.

Its in ADDITION to your password, not replacing it. It;s not a single password system, its a validation of you ID/username though this system plus the passcode you enter. 2 factor.

If it's a completely private system, how exactly will the government use it to track people?

Perhaps the same way they use 3d party databases like Equifax, Experian and TransUnion and host of others to track us now. Because the're not governmental, many rules that apply to government activities don't apply to them, much like 3d party defense contractors. Also, there's no requirement of accuracy in the data they keep.

I still think your best bet for any kind of identity security is to create as many unconnected on-line identities as possible. Sure, there are instances where you need to prove who you are to the government, banks, etc, but in most cases there is no advantage, only risk, in using your IRL identity. Sites like spokeo.com prove that a couple of bucks is the only barrier to all kinds of info about you.

I don't understand the culture's readiness to put everything about themselves into one basket. I get why marketers and governments would want to do it, but not individuals. Don't get me wrong: I love my Telescreen--I mean iPhone--but I still want to roam the information landscape freely without leaving a permanent trail for all to see.

If it's a completely private system, how exactly will the government use it to track people?

The same way that the government presently uses existing completely private systems, like cell-phone tower switching logs, to geo-track people down to about 3 m. By disclosing your location to the cell carrier you have waived privacy, because you have no legal right of privacy in the cell carrier's routine business records. When your local, state, or federal LE then go to the carrier and ask for a voluntary data dump of their business records, then scan that dumped data for your cellie, you have no clear recourse against (i) the carrier; nor (ii) the LE who simply asked and received.

those actions require due process, authority from a judge, and an open case file related to an actual crime that was reported before the access occured. They do NOT get a dump, they get a single record at a specified time. Also, by federal law, if they DID manage to get such a record without a warrant, and they did use that record to identifiy people to presucute, that evidence is instantly inadmissible in court.

Try without the tinfoil hat next time.

No, they don't require action from a judge, just a pen order. And, even then, not necessarily. Your GPS coordinates are not private and at least one mobile provider in the U.S. (Sprint) has an LEO portal that provides that information for nothing more than a nominal fee.

It's not "nothing more than a nominal fee" and Due process still applies. Your location is not private, but your phone numebr or you validated identity IS, and the LEOs require that information first before they can nab your location. they can not simply troll for a ramdom person and get their location.

And, that "nominal charge" is (which isn;t that nominal) is audited, and back charged to the case file. Access to the system WITHOUT documentation of a case ID and cause is a clear violation of due process. A few cops got burned real quick checking on the location of their friend's wives and it stopped real fast when a department or three got handed massive fines and some cops got suspended.

The reason the LOE portal exists is essentially to speed the process up. Judges do not refuse the location tracking requests, and it;s not a pre-action warrant point anyway, so they simply save the time and do a quick electronic form, get the location, arrest the person, etc. Sprint does not want to deal with lawyers, judges, forms, and more for fairly routine information requests, so they set up a system and game them (heavily audited) access.

Just because the data is there, and little more than probable cause can get it (not that transaction data falls in the same class as GPS location anyway, it WOULD require a warrant, as your call history equally does today), does not mean they can simply wave a pen and access it, or that there are not very real consequences for doing it.